On 2/22/2013 3:27 PM, David F. Skoll wrote:
On Fri, 22 Feb 2013 12:20:22 -0800
Marc Perkel <supp...@junkemailfilter.com> wrote:
We need a rule to catch this. It looks like more data than it is but
it's really little more than a single link. Like to see a rule that
identifies it.
Our product lets you make compound rules. It should not be very hard
to translate this to SpamAssassin:
Header Matches RegExp ^To:(.*?@.*?){5} AND
Envelope Sender Ends with @yahoo.com AND
MessageSize < 6000
Well, ok... the MessageSize condition is tricky. And this rule does
kick up some false-positives, but overall it works pretty well for us.
Here's the current version I'm using based on 3.4.0 trunk:
#YAHOO COMPROMISED ACCOUNT SPAMS - SCORED HIGH BECAUSE THESE ARE
COMPROMISED ACCOUNTS WHICH MAKES ALL OF YAHOO!'s PROCEDURES QUESTIONABLE
header __KAM_YAHOO1 From =~
/\@(yahoo.com|yahoo.com.id|rocketmail.com)/i
header __KAM_YAHOO2 Subject =~ /^(FOR |Hey$|hi$|look at
this$|great!?$|amazing!?|the best!?$|excellent!?$|very good!?$|great!?$)/
body __KAM_YAHOO3 /\d{1,2}[\\\/]\d{1,2}[\\\/]\d{2,4}
\d{1,2}\:\d{1,2}\:\d{1,2} (AM|PM)/
header __KAM_YAHOO4 From:name =~ /Connor Hopkins/i
meta KAM_YAHOO (__KAM_YAHOO1 + __KAM_YAHOO2 +
__KAM_YAHOO3 + __KAM_YAHOO4 + __KAM_BODY_LENGTH_LT_128 + MISSING_SUBJECT
>= 3)
describe KAM_YAHOO Compromised Yahoo! Accounts Sending Spam
score KAM_YAHOO 9.0
regards,
KAM
